+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 23
Windows Thread, Proxy bypass details in cookies in Technical; We are having a bit of an 'issue' with proxy bypass abuse in the college at present, and are looking ...
  1. #1
    theeldergeek
    Guest

    Proxy bypass details in cookies

    We are having a bit of an 'issue' with proxy bypass abuse in the college at present, and are looking at ways of dealing with this.

    In the short term, we search cookies for words like "Bebo" which in turn uncover those sites which are being used for access.

    I have noticed that these sites 'plant' the destination site usernames within cookies, and have proved this out by picking a username out of a cookie, and doing a search for said username on Bebo.

    Is it possible that these proxy by-pass sites also plant passwords in cookies, albeit encrypted or hashed in some way?

    Is it possible to reveal these passwords?

    We are trying a tactic of 'scaring' students to demonstrate that their details are held within cookies and such like, and that these proxy bypass sites are not secure and could easily be 'hijacking' students details for more malicious use. If we could uncover a few passwords within these cookies, we would really have some ammo, and it would be a big bonus to demonstrate to students how unsafe their actions potentially are.

    Does anyone know a way of revealing passwords in cookie files, if indeed they are stored within such?

    We are of course looking at longer term solutions such as teacher control of computers in classrooms, however, a short term 'shock and awe' tactic would be most welcome!

    TIA

  2. #2
    PEO
    PEO is offline
    PEO's Avatar
    Join Date
    Oct 2007
    Posts
    2,095
    Thank Post
    457
    Thanked 152 Times in 96 Posts
    Rep Power
    72
    can you identify the areas its been done? college library, IT classes?

  3. #3
    Joanne's Avatar
    Join Date
    Nov 2007
    Location
    Lancashire
    Posts
    1,598
    Thank Post
    133
    Thanked 138 Times in 118 Posts
    Blog Entries
    17
    Rep Power
    78
    ethereal was one that could decrypt passwords... but i think that was from traffic if found there and then. It also took some setting up... but once it was set up you could get allsorts of info from it.

  4. #4

    Domino's Avatar
    Join Date
    Oct 2006
    Location
    Bromley
    Posts
    4,160
    Thank Post
    216
    Thanked 1,262 Times in 793 Posts
    Blog Entries
    4
    Rep Power
    508
    I think the guy who originally developed ethereal has moved on to wiresharek now - might be worth a look

  5. #5
    theeldergeek
    Guest
    Quote Originally Posted by MrHappy View Post
    can you identify the areas its been done? college library, IT classes?
    No, in the main we are looking at cookies written to their profile when they log off, i.e. those held on the server.

    We would be able to look at the local machine on many occasions though as teachers would be able to highlight which machine a user was logged into.

  6. #6
    Jona's Avatar
    Join Date
    May 2007
    Location
    Cranleigh
    Posts
    469
    Thank Post
    14
    Thanked 50 Times in 48 Posts
    Rep Power
    23
    It would be very bad website practice to store a password in a cookie. I will probably only be storing a session ID, even if it was to store a password it would probably be md5'ed (or similar) which is impossible to decrypt except comparing like strings. I think you need to find one of these cookies and do more in-depth analysis.


    Ethereal can't decrypt passwords but if setup right it would be able to sniff them going over the network in some circumstances, although possible not if it's an SSL connection as that would basically be a man-in-the-middle attack

  7. #7
    theeldergeek
    Guest
    Quote Originally Posted by Jona View Post
    It would be very bad website practice to store a password in a cookie. I will probably only be storing a session ID, even if it was to store a password it would probably be md5'ed (or similar) which is impossible to decrypt except comparing like strings. I think you need to find one of these cookies and do more in-depth analysis.


    Ethereal can't decrypt passwords but if setup right it would be able to sniff them going over the network in some circumstances, although possible not if it's an SSL connection as that would basically be a man-in-the-middle attack
    Hmmm, not good..... I know nothing of sniffing, so would be interested in developing this further, although, we obviously don't want to spend huge resources (in respect of time) getting this going - there are other, more appropriate methods out there I'm sure - we were looking for a short 'shock' tactic to get the students to understand the potential consequences of their actions.

    In so far as it being bad practice, methinks the purveyors of these proxy by-pass sites don't actually have any morals, so with a bit of luck, their bad practice will be a tool which we can use to counter-attack the intended usage.

  8. #8
    Joanne's Avatar
    Join Date
    Nov 2007
    Location
    Lancashire
    Posts
    1,598
    Thank Post
    133
    Thanked 138 Times in 118 Posts
    Blog Entries
    17
    Rep Power
    78
    you could block the proxy bypass websites?

    we blocked a load... plus the words *proxy* and *proxy bypass* and *proxybypass*

    I could send you a csv file of them all if you wanted :P

  9. #9
    Gerry's Avatar
    Join Date
    Jun 2007
    Location
    North Wales
    Posts
    431
    Thank Post
    60
    Thanked 38 Times in 35 Posts
    Rep Power
    24
    Our policy is to immediately ban the internet for any student caught using a proxy bypass for a fortnight. They also get a disciplinary letter explaining that they've breached the acceptable use policy they or their parents/guardian signed when they applied for an IT account. We also try to ban as many proxy bypass sites as possible, but new ones keep popping up all the time.

  10. #10
    theeldergeek
    Guest
    Quote Originally Posted by Joanne View Post
    you could block the proxy bypass websites?

    we blocked a load... plus the words *proxy* and *proxy bypass* and *proxybypass*

    I could send you a csv file of them all if you wanted :P

    Oh, we've blocked 100's of sites, and block several more each week. We also use web filtering as you suggest to block the searching of sites, but as you are probably aware, this is but a small solution to a huge problem and cetainly isn't the answer.

    What we ultimately will have, is teacher control software, however, for the time being, we want something that will make the kids sit up and pay attention, i.e. revealing to them their Bebo login details!

  11. #11
    theeldergeek
    Guest
    Quote Originally Posted by Gerry View Post
    Our policy is to immediately ban the internet for any student caught using a proxy bypass for a fortnight. They also get a disciplinary letter explaining that they've breached the acceptable use policy they or their parents/guardian signed when they applied for an IT account. We also try to ban as many proxy bypass sites as possible, but new ones keep popping up all the time.
    Our policy is also to ban them, however, this is having little or no impact, as they then go and use another students account, or just don't care.

    We are now discussing a total Internet ban for good.... that is, they will be unable to use the Internet unsupervised, full stop.

    Ultimately, we are going to have our system set up so the Internet is blocked by default and it is only when a teacher allows it in a classroom via control software that it will be available.

    It has got to such a stage now that these social networking sites have become an addiction to many - not that I ever got addicted to the Internet myself of course....

    Difficult to preach what so many of us probably don't practice! I mean, how many unrelated to work websites have us lot been on today!

    Nonetheless, I still want to catch the little sods!

  12. #12
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,488
    Thank Post
    282
    Thanked 196 Times in 167 Posts
    Rep Power
    76
    Quote Originally Posted by Jona View Post
    It would be very bad website practice to store a password in a cookie.
    True, but remember that lots of proxy bypass sites are (allegedly) run for the purpose of gathering exactly that information for use in fraud, scams, etc. Sites doing such things wouldn't be storing the information in cookies though, instead logging it centrally on their own server somewhere.

    @tx2online - I like where you're going with this, but wonder if you're perhaps over-thinking it slightly. Since the default privacy setting on MySpace is to have your profile public, you can probably see the profile pages for lots of the students, so you could possibly achieve much the same effect by looking at a few profiles and then asking a kid "so, how was the party at John's house at 8pm on Saturday night then? I hear you made out with Sarah..." or whatever.

  13. #13

    Theblacksheep's Avatar
    Join Date
    Feb 2008
    Location
    In a house.
    Posts
    1,935
    Thank Post
    138
    Thanked 290 Times in 210 Posts
    Rep Power
    193
    We ban all proxies, we dont allow searching for proxies and we get an email warning from our server when anyone is searching for them. We VNC and warn anyone doing so to get off straight away.

    We also watch what sites arent categorised and add them to the lists as we go.

    The most effective thing i've found are keywords that prevent searching i the first place. Alot of students have given up and used their mobile phones.

  14. #14


    Join Date
    Oct 2006
    Posts
    3,412
    Thank Post
    184
    Thanked 356 Times in 285 Posts
    Rep Power
    149
    Just use a content filter then you dont need to "scare" kids as they wont be getting on any baughty sites eitherway

  15. #15
    theeldergeek
    Guest
    Quote Originally Posted by NickJones View Post

    @tx2online - I like where you're going with this, but wonder if you're perhaps over-thinking it slightly. Since the default privacy setting on MySpace is to have your profile public, you can probably see the profile pages for lots of the students, so you could possibly achieve much the same effect by looking at a few profiles and then asking a kid "so, how was the party at John's house at 8pm on Saturday night then? I hear you made out with Sarah..." or whatever.
    erm... but if that's publicly possible anyway, we won't be able to shock them into realising we can effectively 'hack' their details when they are using our network.

    One also might imagine the reputation you'd get amongst the students if you went through their 'social' profiles - they'd think you were a bit 'strange' shall we say, and it might attract some unwanted interest in your own social activities.

    No, if we can 'hit' them from a technical angle to say "look, what you are doing is not only wrong, but potentially dangerous - see I have your account details" then they might think twice about accessing proxy by-pass sites.

    Given these sites are so 'infectious' amongst youngsters, and given they are so protective over things like MSN and Bebo accounts, then to demonstrate an ability to reveal the account details to them would maybe keep them from accessing such via alternative means? Who knows?

    However, when all is said and done, it seems it is not the easiest of things to do (for obvious reasons!) and although potentially achievable using 'sniffers', might require considerable time to set up and then diagnose.

    I was hoping to view a cookies content, and using some 3rd party util, reveal encrypted passwords left behind by the site, but it's looking most unlikely that I can.


SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. proxy bypass sites
    By bishopsgarthstockton in forum Links
    Replies: 77
    Last Post: 7th December 2006, 11:29 AM
  2. Proxy Bypass Websites
    By ticker in forum Windows
    Replies: 13
    Last Post: 24th May 2006, 09:28 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •